{{tag>[security openldap centos6.5]}}
=====CentOS 6 - OpenLDAP 2.4 client with TLS=====
====Install packages====
yum install pam_ldap nss-pam-ldapd sssd openldap-clients
====Configure OpenLDAP client====
===Import CA root certificate===
mkdir -p /etc/openldap/cacerts
cp caroot.crt /etc/openldap/cacerts/
===Authconfig===
authconfig-tui
[*] Use LDAP
[*] Use Shadow passwords
[*] Use LDAP Authentication
[*] Local authorization is sufficient
[*] Use TLS
Server: ldaps://
Base DN:
===Configure ldap.conf===
vi /etc/openldap/ldap.conf
URI ldaps://:636/
BASE
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
===Configure pam_ldap===
vi /etc/pam_ldap.conf
base
uri ldaps://:636/
pam_password exop
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
===Configure sssd.conf====
vi /etc/sssd/sssd.conf
!Configure FQDN server names!
ldap_chpass_uri = ldaps://
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
===Test===
service sssd restart
See if symlink exists in /etc/openldap/cacerts
ldapsearch -x -b "dc="
getent passwd
getent group
id -a
===Clear the SSSD cache===
You can clear the passwd/group cache with
sss_cache -U -G